@mservices-tech/scripts 3.2.2

package/reverse_proxy/README.md

@@ -0,0 +1,102 @@
+# Reverse-proxy scripts
+
+## Introduction
+
+These scripts are used for setting up and running a reverse proxy for multiple packages using NGINX.
+The configuration provided runs several endpoint proxies using SSL:
+
+| endpoint                       | target           | description          |
+| ------------------------------ | ---------------- | -------------------- |
+| / (root)                       | `localhost:8080` | frontend application |
+| /api/mkanon                    | `localhost:9000` | mKanon API           |
+| /api/styleguide                | `localhost:4000` | Styleguide API       |
+| /api/content-management-system | `localhost:1337` | Headless CMS API     |
+
+> **NOTE: This configuration will also redirect all `http` traffic to `https`.**
+
+## Prerequisites
+
+You may need to install the following packages on your system first:
+
+- openssl
+- nginx
+
+## Quick start
+
+After the initial setup as described in the section below, run the "./run_proxy.sh" script providing
+the backend access token for the CMS as in the example:
+
+```console
+./run_proxy.sh [--help]
+```
+
+In order to stop the server run the script with the following flag:
+
+```console
+./run_proxy.sh --stop
+```
+
+## Setting up development environment
+
+1. Start the needed applications:
+
+| application    | port | notes                                                                        |
+| -------------- | ---- | ---------------------------------------------------------------------------- |
+| frontend       | 8080 | run the application start script - make sure the port is `8080`              |
+| Headless CMS   | 1337 | generate [Strapi API Token](http://localhost:1337/admin/settings/api-tokens) |
+| Styleguide API | 4000 | use `yarn start:local` in `packages/styleguide-api`                          |
+| mKanon API     | 9000 | run the external development server                                          |
+
+2. Generate certificates:
+
+Run the following script:
+
+```console
+./generate_certificates.sh --passphrase="mservices"
+```
+
+Then, follow the instructions shown by the script.
+
+> **NOTE: The instructions provided are Windows specific.**
+
+3. Add a new hosts entry:
+
+> **NOTE: The following method is Windows specific - this step can be skipped.**
+
+Run the following command in elevated (administrator) PowerShell:
+
+```console
+Add-Content -Path $Env:SystemRoot\System32\drivers\etc\hosts -Value "127.0.0.1 development.local"
+```
+
+By doing this, you ensure resolution of `development.local` address to `localhost`.
+
+4. Run proxy server:
+
+```console
+./run_proxy.sh [--help]
+```
+
+A backend access token for Strapi CMS can be provided to the script using either the `BACKEND_ACCESS_TOKEN` environment variable, or using the `--token` flag as above.
+
+5. Test the frontend:
+
+Open [development.local](https://development.local/) in your browser.
+
+6. Test the backend:
+
+Make a request to any of the backend endpoints (in this example, we are using Strapi):
+
+```console
+# should reply 'HTTP/1.1 204 No Content'
+curl --location --insecure --head development.local/content-management-system/\_health
+```
+
+7. You should now be able to access the services at the following addresses:
+
+| service          | URL                                                                                                          |
+| ---------------- | ------------------------------------------------------------------------------------------------------------ |
+| frontend         | [development.local/](https://development.local)                                                              |
+| mKanon API       | [development.local/api/mkanon](https://development.local/api/mkanon)                                         |
+| Styleguide API   | [development.local/api/styleguide](https://development.local/api/styleguide)                                 |
+| Headless CMS API | [development.local/api/content-management-system/](https://development.local/api/content-management-system/) |

package/reverse_proxy/clean.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+source "$(dirname $0)/configuration.sh" || exit 1
+
+rm -rf "$CERTFICATES_DIRECTORY/*.{crt,csr,key,ext}"
+rm -rf "$CERTFICATES_DIRECTORY/*.{pem,srl,pfx}"
+
+rm -rf "$(dirname $0)/nginx_domain_ssl_reverse_proxy.conf"

package/reverse_proxy/configuration.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+export CERTFICATES_DIRECTORY="$(dirname $0)/certificates"
+export CERTFICATE_AUTHORITY_FILE_NAME="custom_certificate_authority"
+export DOMAIN_NAME="localhost"

package/reverse_proxy/generate_certificates.sh

@@ -0,0 +1,140 @@
+#!/usr/bin/env bash
+
+source "$(dirname $0)/../utils.sh" || exit 1
+source "$(dirname $0)/configuration.sh" || exit 1
+
+with_underline=$(tput smul)
+without_underline=$(tput rmul)
+
+windows_installation_instructions="Import the %s into the Trusted Certificate Authorities of Windows:
+
+1. Open (double-click) both 'custom_certificate_authority.pfx' and 'localhost.crt' files
+2. Select \"Local Machine\" and Next
+3. Next again
+4. Enter the password \"%s\" and then click Next
+5. Select \"Place all certificates int he following store:\"
+6. Click on Browse
+7. Choose \"Trusted Root Certification Authorities\", click on Next
+8. Click on Finish
+
+Now your CA certificate will be automatically trusted by Windows and Chrome.
+
+To uninstall the certificate authority:
+1. Open \"certmgr.msc\"
+2. Select \"Trusted Root Certification Authorities\" in the left panel
+3. Open \"Certificates\" in the main window
+4. Right-click on \"localhost development certificate\" and choose \"delete\"
+\n"
+
+macos_installation_instructions="Update the trust settings of each certificate to \"Always trust\" in MacOS:
+
+1. Double click the files \"localhost.crt\" and \"custom_certificate_authority.pem\" and install both
+2. When asked for key passphrase enter \"%s\"
+3. Go to \"System > System Keychain > Certificates\"
+4. Right click on both \"localhost development certificate\" entries
+5. Expand \"Trust\" section and choose \"Always trust\"
+6. A small, blue \"+\" icon should be visible next to the certificate
+
+To uninstall right-click the \"localhost development certificate\" in \"Keychain Access > Certificates\", and choose \"delete\".
+\n"
+
+function usage() {
+  cat << END
+Usage:
+  ./generate_certificates.sh <--passphrase="passphrase"> [--help]
+Where:
+  passphrase - private RSA key passphrase
+  help       - show usage information and exit
+Description:
+  Generates a self-signed TLS certificate using an RSA key pair.
+  The script also provides a certificate authority file that
+  can be used to trust the local proxy on https connections.
+  This process is a prerequisite for running the reverse-proxy server.
+END
+}
+
+function main() {
+  parse_arguments "$@"
+  if [ ${PROCESS_ARGUMENTS['--help']} ]; then
+    usage
+    exit 0
+  elif [ -z ${PROCESS_ARGUMENTS['--passphrase']} ]; then
+    printf "Passphrase not provided. Run with '--help' for more information.\n"
+    exit 1
+  fi
+
+  if ! [ -d "$CERTFICATES_DIRECTORY" ]; then
+    mkdir "$CERTFICATES_DIRECTORY"
+  fi
+
+  # Generate private key
+  openssl genrsa \
+    -des3 \
+    -passout "pass:${PROCESS_ARGUMENTS['--passphrase']}" \
+    -out "$CERTFICATES_DIRECTORY/$CERTFICATE_AUTHORITY_FILE_NAME.key" \
+    2048 || exit 1
+
+  # Generate root certificate
+  openssl req -x509 \
+    -new \
+    -config "$(dirname $0)/openssl.conf" \
+    -passin "pass:${PROCESS_ARGUMENTS['--passphrase']}" \
+    -nodes \
+    -key "$CERTFICATES_DIRECTORY/$CERTFICATE_AUTHORITY_FILE_NAME.key" \
+    -sha256 \
+    -days 825 \
+    -out "$CERTFICATES_DIRECTORY/$CERTFICATE_AUTHORITY_FILE_NAME.pem" || exit 1
+
+  # Create CA-signed certs
+
+  # Generate a private key
+  openssl genrsa \
+    -out "$CERTFICATES_DIRECTORY/$DOMAIN_NAME.key" 2048 || exit 1
+
+  # Create a certificate-signing request
+  openssl req -new \
+    -config "$(dirname $0)/openssl.conf" \
+    -key "$CERTFICATES_DIRECTORY/$DOMAIN_NAME.key" \
+    -out "$CERTFICATES_DIRECTORY/$DOMAIN_NAME.csr" || exit 1
+
+  # Extension configuration
+  envsubst '$DOMAIN_NAME' < "\
+$(dirname $0)/localhost.ext.template" > "\
+$CERTFICATES_DIRECTORY/$DOMAIN_NAME.ext"
+
+  # Create the signed certificate
+  openssl x509 -req \
+    -in "$CERTFICATES_DIRECTORY/$DOMAIN_NAME.csr" \
+    -passin "pass:${PROCESS_ARGUMENTS['--passphrase']}" \
+    -CA "$CERTFICATES_DIRECTORY/$CERTFICATE_AUTHORITY_FILE_NAME.pem" \
+    -CAkey "$CERTFICATES_DIRECTORY/$CERTFICATE_AUTHORITY_FILE_NAME.key" \
+    -CAcreateserial \
+    -out "$CERTFICATES_DIRECTORY/$DOMAIN_NAME.crt" \
+    -days 825 \
+    -sha256 \
+    -extfile "$CERTFICATES_DIRECTORY/$DOMAIN_NAME.ext"
+
+  # shellcheck disable=2143
+  if [[ $(grep -i Microsoft /proc/version) ]]; then
+    printf "Generating .pfx file to to be installed on Windows\n"
+
+    OUTFILE_PFX="$CERTFICATES_DIRECTORY/$CERTFICATE_AUTHORITY_FILE_NAME.pfx"
+
+    openssl pkcs12 \
+      -export \
+      -passin "pass:${PROCESS_ARGUMENTS['--passphrase']}" \
+      -passout "pass:${PROCESS_ARGUMENTS['--passphrase']}" \
+      -out "$OUTFILE_PFX" \
+      -inkey "$CERTFICATES_DIRECTORY/$CERTFICATE_AUTHORITY_FILE_NAME.key" \
+      -in "$CERTFICATES_DIRECTORY/$CERTFICATE_AUTHORITY_FILE_NAME.pem" || exit 1
+
+    printf "Generated %s file\n\n" "$OUTFILE_PFX"
+
+    # shellcheck disable=2059
+    printf "$windows_installation_instructions" "${PROCESS_ARGUMENTS['--passphrase']}"
+  else
+    printf "$macos_installation_instructions" "${PROCESS_ARGUMENTS['--passphrase']}"
+  fi
+}
+
+main "$@"

package/reverse_proxy/localhost.ext.template

@@ -0,0 +1,12 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+# Include the domain name here - Common Name may not be honoured by itself
+DNS.1 = ${DOMAIN_NAME}
+# Optionally, add additional domains (example for a subdomain)
+# DNS.2 = subdomain.${DOMAIN_NAME}
+# Optionally, add an IP address (if the connection requires it)
+# IP.1 = 192.168.0.13

package/reverse_proxy/nginx_domain_ssl_reverse_proxy.conf.template

@@ -0,0 +1,89 @@
+# nginx configuration that adds SSL support to local development
+events {
+  worker_connections 1024;
+}
+
+http {
+  include /etc/nginx/conf.d/*.conf;
+
+  upstream frontend {
+    server 127.0.0.1:8080;
+  }
+
+  upstream backend {
+    server 127.0.0.1:4000;
+  }
+
+  server {
+    listen 80;
+    return 301 https://$host$request_uri;
+  }
+
+  server {
+    listen                    443 ssl;
+    server_name               localhost;
+    access_log                /var/log/nginx/development.local.access.log;
+    ssl_certificate           ${CERTFICATES_DIRECTORY}/${DOMAIN_NAME}.crt;
+    ssl_certificate_key       ${CERTFICATES_DIRECTORY}/${DOMAIN_NAME}.key;
+    ssl_protocols             TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers               "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+    ssl_ecdh_curve            secp384r1;
+    ssl_session_cache         shared:SSL:10m;
+    ssl_session_tickets       off;
+    resolver                  8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout          5s;
+    add_header                X-Content-Type-Options nosniff;
+    index                     index.html;
+
+    location / {
+      proxy_set_header   Host $http_host;
+      proxy_set_header   X-Real-IP $remote_addr;
+      proxy_set_header   X-NginX-Proxy true;
+      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_http_version 1.1;
+      proxy_redirect     off;
+      proxy_buffering    off;
+      proxy_pass         http://localhost:8080/;
+    }
+
+    location /api/styleguide/ {
+      proxy_set_header   Host $http_host;
+      proxy_set_header   Upgrade $http_upgrade;
+      proxy_set_header   Connection "upgrade";
+      add_header         Access-Control-Allow-Origin "*";
+      proxy_set_header   X-Real-IP $remote_addr;
+      proxy_set_header   X-NginX-Proxy true;
+      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_http_version 1.1;
+      proxy_redirect     off;
+      proxy_pass         http://localhost:4000/api/styleguide/;
+    }
+
+    location /api/mkanon/ {
+      proxy_set_header   Host $http_host;
+      proxy_set_header   Upgrade $http_upgrade;
+      proxy_set_header   Connection "upgrade";
+      add_header         Access-Control-Allow-Origin "*";
+      proxy_set_header   X-Real-IP $remote_addr;
+      proxy_set_header   X-NginX-Proxy true;
+      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_http_version 1.1;
+      proxy_redirect     off;
+      proxy_pass         http://localhost:9000/;
+    }
+
+    location /api/content-management-system/ {
+      proxy_set_header   Host $http_host;
+      proxy_set_header   Upgrade $http_upgrade;
+      proxy_set_header   Connection "upgrade";
+      add_header         Access-Control-Allow-Origin "*";
+      proxy_set_header   X-Real-IP $remote_addr;
+      proxy_set_header   X-NginX-Proxy true;
+      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_http_version 1.1;
+      proxy_pass_header  Authorization;
+      proxy_pass         http://localhost:1337/api/;
+    }
+  }
+}

package/reverse_proxy/openssl.conf

@@ -0,0 +1,21 @@
+[ req ]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+
+[ dn ]
+C = PL
+ST = maz
+L = Warsaw
+O = mServices sp. z o. o.
+OU = Technology
+CN = localhost development certificate
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+DNS.2 = development.local

package/reverse_proxy/reverse_proxy.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+source "$(dirname "$0")/../utils.sh" || exit 1
+source "$(dirname "$0")/configuration.sh" || exit 1
+
+function usage() {
+  cat << END
+Usage:
+    ${BASH_SOURCE[0]} [--help] [--stop]
+Where:
+    help  - print usage information and exit
+    stop  - stop the NGINX server and exit
+
+Description:
+    Starts the NGINX server with the configuration taken from
+    'nginx_domain_ssl_reverse_proxy.conf'.
+END
+}
+
+function start_server() {
+  printf "Generating NGINX config from template...\n"
+  envsubst '$CERTFICATES_DIRECTORY,$DOMAIN_NAME' < nginx_domain_ssl_reverse_proxy.conf.template > nginx_domain_ssl_reverse_proxy.conf
+
+  printf "Starting the reverse proxy server. Logs will be stored in '/var/log/nginx/'\n"
+  sudo mkdir -p /var/log/nginx
+  sudo chmod -R 755 /var/log/nginx
+  sudo nginx -c "$(pwd)"/nginx_domain_ssl_reverse_proxy.conf
+}
+
+function stop_server() {
+  printf "Stopping NGINX server...\n"
+  sudo nginx -s stop 2> /dev/null
+}
+
+function main() {
+  parse_arguments "$@"
+  if [ ${PROCESS_ARGUMENTS['--help']} ]; then
+    usage
+    exit 0
+  elif [ ${PROCESS_ARGUMENTS['--stop']} ]; then
+    stop_server
+    exit 0
+  fi
+
+  start_server
+}
+
+main "$@"